The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Damage to information systems by viruses, worms and other malicious code is one of the biggest challenges in network and system security. The threats continue to grow both in terms of frequency and degree of potential damage.
Furthermore, the extended reach of networks across campuses, into meeting places, coffee houses, hotels, airports and elsewhere has encouraged development of IP-based devices, such as voice over IP (VOIP) telephones and, particularly, wireless IP (Internet Protocol) devices, such as IEEE 802.11 conforming and Bluetooth VOIP (Voice-Over-IP) telephones and PDAs (Personal Data Assistants). Connection of mobile devices to networks presents even greater challenges for protecting networks, as the growth in access points has resulted in an increase in points of vulnerability in the network, and has allowed viruses to spread at ever faster rates.
The old paradigm for many businesses was to standardize desktop machines because standard configurations are easier for an Information Technology (IT) department to maintain, and desktops tend to be less expensive than equally powerful portables. However, users today tend to customize their machines, and may install software over which IT loses control. Mobile devices attach to networks over which IT has no control. It is much more challenging to protect a network against software that is loaded and active when a mobile device gains access to the network than to protect a desktop from accidentally downloading a virus over controlled network channels.
One approach to protecting a network has been to enforce the presence of a particular virus checker on machines seeking Internet access through controlled network channels. For instance, SonicWALL™ firewalls can be configured to enforce installation of an edition of McAfee's virus checking software. However, the firewall's enforcement mechanism is limited to blocking Internet access, as firewalls are conceptually placed on the perimeter of a network, facing the Internet. A firewall can block the spread of viruses between different networks, but not within the network itself. The firewall's checking mechanism is only invoked when a user attempts to reach the Internet through the firewall, and it only checks for an active virus scanning program. A mobile device that joins the network will have free access to core network resources without necessarily invoking the firewall's checking mechanism.
Another approach has been to implement Patch Management Systems that prevent and cure viruses and worms by patching the software. However, many patches when implemented have unintended consequences, such as introducing new glitches into the software. Therefore, even when a patch is available, actual patching is frequently only performed after testing on a parallel system. Furthermore, when a network system is already compromised, automated patch updating may not work. Significantly, patch management systems also regularly rely on users to comply with instructions to download and install a patch. However, users frequently ignore pop-up windows or other messages that indicate that patches and updates are recommended, and do not install the patch.
Complicating the issue, many network environments provide different users with access to different resources depending on who the user is. In particular, many networks are configured to allow guests, such as consultants or contractors, to have at least limited access to network recourses. Visitors gaining access to a network are especially likely to introduce problems into a network, as enterprise IT departments have no control over these users or the devices they use.
Based on the foregoing, known techniques for managing the security of IP connected devices and software are inadequate, especially for mobile users that remotely access a network, and there is a need for alternative techniques for protecting a network.